said by ropeguru:So out of curiosity, how do you keep track of this between the time your research firms provide you with the IP and you entering it into the system to capture the customers attention.
What happens if in the lag time the ip is allocated to someone else who's machine isn't infected. The only way I see to mitigate this is timestamps from the research company and you correlating this with stored info about what customer had that IP during that time period.
Our DHCP servers record when an IP lease changes, so we can track when we think someone was botted and whether their IP subsequently changed. Obviously we're trying to (1) avoid false-positives and (2) not have bots that constantly change IPs to evade detection.
